Required authorizations

The STEPLIB hlq.SHFIMODA must be APF-authorized.

Associate the started task that is used to run the ZCC server with a user ID that has an OMVS segment. If the BPX.SERVER facility is active give the user ID READ access to it, otherwise the user ID requires superuser access. Make sure write access to the z/OS® UNIX directory is available, as specified by the WORKDIR= configuration parameter. Edit and run the job HFIMKDIR in the sample library (HFI.SHFISAM1) to create this directory. Furthermore, any users logging in to the ZCC server require read access to this location. Similarly, if you configure the ZCC server to a key database of your own creation, the ZCC server and any users who log into it require read access to the specified key database.

Products that make use of the SPAWN_JOBNAME configuration keyword require the following authorizations. The user ID of the ZCC server must be permitted to the BPX.SUPERUSER resource of the FACILITY class and must have READ access to the BPX.JOBNAME resource, if it is defined.

The ZCC server uses C runtime services to switch user context when spawning processes for requesting clients that provide a valid user ID and password. These services are associated with the OMVSAPPL resource (or the HFIAPPL resource if PASSTK is specified) of the APPL class by default, if the APPL class is active. If this is the case, the authenticating user ID must have READ access to the OMVSAPPL or HFIAPPL resource of the APPL class.

Alternatively, your server configuration can specify APPLID=applid, where applid is a user-defined resource name defined to the APPL class. When APPLID is configured, the ZCC server will use the specified APPL class applid rather than OMVSAPPL orHFIAPPL. If PassTickets are used, the default resource name is HFIAPPL, however this can also be overridden by the APPLID configuration parameter. In all cases, authenticating users must have READ access to the appropriate resource of the APPL class (if it is active).

If enhanced program security is enabled, at a minimum the following programs must be defined to program control, unless BPX.DAEMON.HFSCTL was set up:

  • HFISRV
  • HFIMSGT
  • HFICMENU
  • HFICMJPN
  • UHFIMSGT
  • HFI0LVL

Alternatively, define all ZCC server programs in the library HFI.SHFIMODA to program control, rather than specifying individual programs.

If enhanced program security is enabled, HFISRV must be defined with the MAIN attribute, using the APPLDATA operand on the PROGRAM profile.